From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6659376390151864320 X-Received: by 2002:a2e:9194:: with SMTP id f20mr1630430ljg.21.1550567987878; Tue, 19 Feb 2019 01:19:47 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a2e:121d:: with SMTP id t29ls577860lje.4.gmail; Tue, 19 Feb 2019 01:19:47 -0800 (PST) X-Google-Smtp-Source: AHgI3IYvS2oimuFch5SQBAQSDp6izUITxC2u57QQTFPj4HLHhyTgai5zqWuOo1fHYWNVpa4FF/e9 X-Received: by 2002:a2e:9194:: with SMTP id f20mr1630419ljg.21.1550567987375; Tue, 19 Feb 2019 01:19:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550567987; cv=none; d=google.com; s=arc-20160816; b=ogQxXKyhb/cqKVdrqpvfuSXy3mHXsSW97TUTJXrMHRCnU/whjG85L+jwQXVksBlASc BKRfhydXab2xGIUjCk8x6c8l3paFzaJdAKprS9kQRQbxBDlFQTeDIvikPIIFLN7I5gCJ jNGKhRbnI0rsoNgP/oKm32EVO/5ZZaMvpPhEpTwBQjHcQcGnD54p51NBSxo7rVlKiNAN i6ouIa1X/wW9uPZUVwPX1qQTrh2rMxC0nM2YmOcU+zh/PtxvR8J337ZKZ+CvLpyHGf2s Hoi8u/6kEuCIOWeZQsSPeFq9tZUnzok0p3anRzKOFdIZdfItrMTSjTHBeZps8Gt6q0wT JT2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date; bh=/IVGZt1nVK2OrUSHC1Rwt+FFiJRXPodRWtXsicHga+4=; b=uTPrXks3HcN7UVKuzrSxVE6xPuCu+cxuTw9cXNhFI6h7cAulR1BPgghiE0U0bnfJSc J9avOHGMULRtpiDfWhoOZkvskMTRjOcEPuq8HrNca20K9WIAx3JtJKbet8ptSl90dkMt QjZ67sfZFBnHQ/fIGCW4cJVXLe3GhtLr2Kr0pCkk7WGnh7uzAhcrdSq6mWtDtUS4kA/5 VNTUpZSSVJg41fYQ/ZGIS9hjys4/+I6eboDenPYwyR+YvNiXymS4MwNbbLIiM0gA5iy6 qFWOX9imliEPLkHpsOXHzmmRR/btdq/B4QIfa7XAweUPUpLOAsNzioONrcDGBNjPPKf/ a6BQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=henning.schild@siemens.com Return-Path: Received: from thoth.sbs.de (thoth.sbs.de. [192.35.17.2]) by gmr-mx.google.com with ESMTPS id 81-v6si440338ljc.2.2019.02.19.01.19.47 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 Feb 2019 01:19:47 -0800 (PST) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) client-ip=192.35.17.2; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=henning.schild@siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by thoth.sbs.de (8.15.2/8.15.2) with ESMTPS id x1J9Jka6012560 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 19 Feb 2019 10:19:46 +0100 Received: from md1za8fc.ad001.siemens.net ([139.25.68.200]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id x1J9Jklf013163; Tue, 19 Feb 2019 10:19:46 +0100 Date: Tue, 19 Feb 2019 10:19:44 +0100 From: Henning Schild To: "[ext] claudius.heine.ext@siemens.com" Cc: , Claudius Heine Subject: Re: [PATCH] added 'isar-cfg-userpw' package Message-ID: <20190219101944.4c7b8873@md1za8fc.ad001.siemens.net> In-Reply-To: <20190218175834.1360d953@md1za8fc.ad001.siemens.net> References: <20190218162113.8538-1-claudius.heine.ext@siemens.com> <20190218175834.1360d953@md1za8fc.ad001.siemens.net> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-TUID: gbhKWsNulFWR On Mon, 18 Feb 2019 17:58:34 +0100 "[ext] Henning Schild" wrote: > Thanks for looking into that, good addition to the root-PW story! > > Am Mon, 18 Feb 2019 17:21:13 +0100 > schrieb "[ext] claudius.heine.ext@siemens.com" > : > > > From: Claudius Heine > > > > With this package setting of arbitrary user passwords should be > > possible. > > > > To do this use the 'CFG_USER_PW' variable as described in the user > > manual. > > > > Signed-off-by: Claudius Heine > > --- > > doc/user_manual.md | 1 + > > meta-isar/conf/local.conf.sample | 2 ++ > > meta/classes/isar-image.bbclass | 2 +- > > .../isar-cfg-userpw/files/postinst.tmpl | 15 ++++++++++++ > > .../isar-cfg-userpw/isar-cfg-userpw.bb | 23 > > +++++++++++++++++++ 5 files changed, 42 insertions(+), 1 deletion(-) > > create mode 100644 > > meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl create mode > > 100644 meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb > > > > diff --git a/doc/user_manual.md b/doc/user_manual.md > > index db0bf85..53bb36a 100644 > > --- a/doc/user_manual.md > > +++ b/doc/user_manual.md > > @@ -328,6 +328,7 @@ Some other variables include: > > - `DISTRO_APT_PREMIRRORS` - The preferred mirror (append it to the > > default URI in the format `ftp.debian.org my.preferred.mirror`. This > > variable is optional. > > - `CFG_ROOT_PW` - The encrypted root password to be set. To > > encrypt password use `mkpasswd`. You find `mkpasswd` in the `whois` > > package of Debian. If the variable is empty, root login is > > passwordless. > > - `CFG_ROOT_LOCKED` - If set to `1` the root account will be > > locked. > > + - `CFG_USER_PW` - A space separated list of user names and > > encrypted passwords separated by a colon. (e.g. > > `username1:encryptedpw1 username2:encryptedpw2`) --- > > > > diff --git a/meta-isar/conf/local.conf.sample > > b/meta-isar/conf/local.conf.sample index e5827aa..494a283 100644 > > --- a/meta-isar/conf/local.conf.sample > > +++ b/meta-isar/conf/local.conf.sample > > @@ -178,3 +178,5 @@ ISAR_CROSS_COMPILE ?= "0" > > # mkpasswd -m sha512crypt -R 10000 > > # mkpasswd is part of the 'whois' package of Debian > > CFG_ROOT_PW ?= > > "$6$rounds=10000$RXeWrnFmkY$DtuS/OmsAS2cCEDo0BF5qQsizIrq6jPgXnwv3PHqREJeKd1sXdHX/ayQtuQWVDHe0KIO0/sVH8dvQm1KthF0d/" > > +# Set user 'isar' password to 'isar': +CFG_USER_PW ?= > > "isar:$6$rounds=10000$WMnSt8s9nLE$M/0eQVs0f05VpW8uzscs54GUwzhh/gjN3Vb85QEIIh1XihyvE.Xw4reJSxHqWcP0I0CnllKhseg6SRcGIIx7P1" > > diff --git a/meta/classes/isar-image.bbclass > > b/meta/classes/isar-image.bbclass index cdd1651..0100d0b 100644 --- > > a/meta/classes/isar-image.bbclass +++ > > b/meta/classes/isar-image.bbclass @@ -17,7 +17,7 @@ SRC_URI += "${@ > > cfg_script(d) }" > > DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}" > > > > -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw" > > +IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw > > isar-cfg-userpw" > > WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" > > > > diff --git > > a/meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl > > b/meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl new file > > mode 100644 index 0000000..47fffd0 --- /dev/null > > +++ b/meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl > > @@ -0,0 +1,15 @@ > > +#!/bin/sh > > +set -e > > + > > +USER_ENTRIES='${CFG_USER_PW} ' > > + > > +while true; do > > + USER_ENTRY="${USER_ENTRIES%% *}" # First element of list > > + USER_ENTRIES="${USER_ENTRIES#${USER_ENTRY} }" # Rest of list > > + > > + if [ -z "${USER_ENTRY}" ]; then > > + break > > + fi > > We should fail hard if someone (ab)uses this to set the root-password. In fact we might just fold the root logic and this together and have just one package. The code is so fresh we will hardly offend anyone already using it. Henning > Henning > > > + printf '%s' "${USER_ENTRY}" | chpasswd -e > > +done > > diff --git a/meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb > > b/meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb new file > > mode 100644 index 0000000..75b0446 > > --- /dev/null > > +++ b/meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb > > @@ -0,0 +1,23 @@ > > +# This software is a part of ISAR. > > + > > +DESCRIPTION = "Isar configuration package for user passwords" > > +MAINTAINER = "isar-users " > > +DEBIAN_DEPENDS = "passwd" > > + > > +SRC_URI = "file://postinst.tmpl" > > + > > +TEMPLATE_FILES = "postinst.tmpl" > > +TEMPLATE_VARS = "CFG_USER_PW" > > + > > +CFG_USER_PW ?= "" > > + > > +python() { > > + # Enforce CFG_USER_PW to be a single space separated array > > + d.setVar("CFG_USER_PW", " ".join(d.getVar("CFG_USER_PW", > > True).split())) +} > > + > > +inherit dpkg-raw > > + > > +do_install() { > > + echo "intentionally left blank" > > +} >